SlideShare una empresa de Scribd logo

HIPAA and Beyond: Effectively Safeguard EPHI

Ben Rothke
Ben Rothke

Lumension white paper - HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health Information

Tecnología
1 de 7
Descargar para leer sin conexión
HIPAA and Beyond How to Effectively Safeguard Electronic Protected Health Information Ben Rothke, CISSP PCI QSA August 4th, 2008
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information Introduction HIPAA Privacy Rule and Security Rule. The In the world of information security, well-defined Privacy Rule became effective in April 2003 and security programs are the forests, and regulations establishes regulations for the use and disclo- like HIPAA, SoX and PCI are the trees. And too sure of Protected Health Information (PHI). PHI many healthcare organizations mistake the forest is broadly defined as any information about the for the trees. health status, provision of health care, or pay- ment for health care that can be linked to an in- By way of analogy, one of the benefits of Social dividual. This is interpreted rather broadly and Security is SSI or Supplemental Security Income. includes any part of a patient’s medical record or The operative word is supplemental. Social Se- payment history1. curity is meant to augment your retirement, not be the main income source for your retirement. The HIPAA security rule was issued in February HIPAA is much like SSI and meant to supplement 2003 and complements the Privacy Rule. While your formal information security program. If you the Privacy Rule pertains to all PHI, including view HIPAA as the end-all of your information paper- and electronic-based, the Security Rule security and privacy program, you are in huge deals specifically with electronic PHI (EPHI) and trouble. lays out three types of security safeguards re- quired for compliance: administrative, physical This white paper will detail how to go beyond and technical. For each, the Rule identifies vari- HIPAA by showing how to use HIPAA as the ous security standards, and for each standard, it starting point for your security program, and then names both required and addressable implemen- using best practices and Lumension Security so- tation specifications. lutions to improve your overall security posture. Moving Beyond HIPAA HIPAA – Showing its Age HIPAA was created by non-security personnel, Imagine paying $1.25 for a gallon of gasoline. who likely could not differentiate between a fire- One would have to go all the way back to 1996 to wall and fire extinguisher. The outcome is that get that price. Going back to 1996 also takes us HIPAA lacks the depth and breadth on which to to the year when Congress enacted the Health build an information security program. If you build Insurance Portability and Accountability Act your security and privacy program with HIPAA (HIPAA). solely as its foundation, it will fail as HIPAA takes a myopic view of security and privacy with PHI HIPAA was created for health insurance reform being the center of its universe. But there is much and the streamlining of claims, and not about more to information security than PHI. security and privacy. Title I of HIPAA protects health insurance coverage for workers and their With that, covered entities2 (CE) must look be- families when they change or lose their jobs. Ti- yond HIPAA and focus globally if they want more tle II of HIPAA known as the Administrative Sim- than simply HIPAA compliance. plification provisions, requires the establishment of national standards for electronic health care While the intent of HIPAA was valorous, over a transactions and national identifiers for providers, decade has passed since its initial inception and health insurance plans, and employers. it has already begun to show its age. Organiza- tions that mistakenly look to HIPAA for their secu- Administration Simplification provisions also ad- rity infrastructure should stop being shortsighted dress the security and privacy of patient health and look forward. data. The HIPAA security and privacy rules are meant to improve the efficiency and effective- While HIPAA is a static regulation, CE’s exist in a ness of the nation’s health care system by en- dynamic IT world with new threats coming about couraging the widespread use of electronic data daily. When HIPAA first came out, vulnerability interchange in the US health care system. assessments, patching and configuration reme- diation were only typically performed quarterly at HIPAA Security and Privacy Rule best. Now with zero-day threats, lack of a de- Within Administration Simplification exists the fined network perimeter and focus on information
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information protection, the need for real-time patching and Using frameworks such as ISO-17799 or ITIL proactive endpoint and data protection is a basic helps CE’s by giving them a structure with which requirement. to protect their IT assets. Also, when an organi- zation decides to formally embrace a framework, The following steps in this white paper will show it sends a strong message of its commitment to you how to get that global view and how to move information security. beyond HIPAA for any CE. Within HIPAA, using a framework can be espe- Step 1 - Using a Framework for Security cially valuable as it can show others the depth of The healthcare industry doesn’t have a lack of your security program, and your overall commit- information security products at its disposal. ment to their security and privacy. As security Data centers are stocked full of racks of firewalls, is becoming a differentiating factor, the use of VPN’s, security appliances and much more. a framework can differentiate your organization While the underlying infrastructure is there, the from insecure ones. challenges CE’s face is making these products work together, to provide adequate security, and Step 2 – Risk Assessment to support their HIPAA compliance effort. The foundation of any information security pro- gram must be a formal and comprehensive risk By employing a well-developed, organized and assessment. If you don’t know your risks, you enforced set of security policies, and by under- have no idea of your security context, no idea of standing where your exposures reside, you will who your adversaries are, and in essence, you be better prepared for issues when they occur. are shooting in the security dark. CE’s that jump Organizations that do not define and enforce se- into doing information security without a compre- curity policies proactively are in for a rough time hensive and formal risk assessment end up do- when disaster strikes. Simply put, if your security ing a lot of security stuff, but don’t have much to infrastructure isn’t built on a solid foundation, it is show for it when all is said and done. To properly bound to collapse under the weight of increased protect your network, you need to create a matrix threats and vulnerabilities. By creating a security detailing the risks your organization faces, listing foundation, CE’s can easily deal with any new the level of the threat against the likelihood of it regulation. happening. This is especially true given the compliance 80/20 Once the risk assessment is complete, don’t rule. If you take all of the security and privacy make the mistake of attempting to quickly fix all regulations and combine them, there is roughly of the problems by creating a huge to-do list and an 80% commonality between them. The 80/20 then giving it to external consultants to complete. rules shows that having a core framework in The only way to effectively manage risk on en- place to deal with the 80% commonality means terprise networks is to approach the remediation that at worst an enterprise will only have 20% of process in a formal strategic manner - create de- the new regulation to deal with. tailed project plans under the control of an effec- tive project manager. That is where information security frameworks come into the picture. An information security The beauty of a risk assessment is that it tells framework contains the assumptions, concepts, you exactly what you need to worry about. If you risk values, and security practices underlying an don’t take this approach, you end up defending organization’s information security infrastructure. against murky hackers and vague threats from Frameworks such as ISO 270013 and 270024 somewhere. A formalized risk assessment gives and ITIL5 (IT Infrastructure Library) are needed you the knowledge to know who your enemy re- because current healthcare security projects are ally is; Sun Tzu would be proud. much more complex than those of years past. Frameworks provide the formal approach to se- A risk assessment is the ultimate commitment to curity, especially since too many CE’s take an ad HIPAA, as it shows that a CE isn’t simply trying to hoc approach to security, which is an abomina- take a rubber stamp approach to HIPAA, rather tion to every security professional. they are trying to get to the core of the security and privacy issues. More importantly, it shows
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information that a CE is focusing on the real threats, rather configuration consistency within your organiza- than on perceived external threats. tion. The benefits of Standard Operating Proce- dures (SOP) are immense and include: Step 3 – The 3 P’s • Standardize operations among divisions (Policy, Processes, Procedures) and departments CE’s need information security policies to ensure • Reduce confusion a safe and sound infrastructure. Security policies • Designate responsibility are often the first step in ensuring that corporate • Improve accountability of personnel assets are not squandered by some nefarious • Record the performance of all tasks and employees. Security policies are like fiber, that their results is, the kind you eat. Everyone agrees that fiber • Reduce costs is good for you, but no one really wants to eat it • Reduce liability - so too with information security policies. They are sorely needed, but most users don’t go out of There are many sources for SOP’s, some of their way to comply with them. And in many CE’s, which include: they are not even trained in what they have to do. • ISO 17799 But failure to have adequate information security • CoBIT policies can lead to myriad risks for a CE. • NIST 800 series • Standards for Security Categorization The centrality of information security policies of Federal Information and Information to virtually everything that happens in the infor- Systems (FIPS 199) mation security field is increasingly evident. For • ITIL example, system administrators cannot secure- ly and effectively install a firewall unless they Step 4 – Training and Awareness have received a set of clear information security Effective information security training and aware- policies. These policies will stipulate the type of ness effort can’t be initiated without first writing transmission services that should be permitted, information security policies which provide the how to authenticate the identities of users, and essential content for training and awareness ma- how to log security-relevant events. terials. Establishing clear expectations through an information security awareness program is a Similarly, an effective information security train- critical element of an effective and enforceable ing and awareness effort cannot be initiated with- set of policies. out first writing information security policies, be- cause policies provide the essential content upon Awareness is specifically required in HIPAA sec- which training and awareness material rely. It is tion § 164.308 Administrative safeguards, which for these reasons that every major regulation or states in section (5)(i) Standard: Security aware- standard relating to information security and/or ness and training. Implement a security aware- data privacy specifically requires written security ness and training program for all members of its policy documents. workforce (including management). A comprehensive set of security policies are re- So important is awareness that The Standard of quired to map abstract security concepts to the Good Practice for Information Security from the real world implementation of your security solu- Information Security Forum (ISF) writes that spe- tions as policy defines the aims and goals of the cific activities should be undertaken, such as a CE. security awareness program, to promote security awareness to all individuals who have access to Security processes can help a CE optimize their the information and systems of the organization, IT security infrastructure. The more complex an with the objective to ensure all relevant individu- organization’s IT security infrastructure becomes, als apply security controls and prevent important the more important it is to follow consistent and information used throughout the organization formal security operational processes and poli- from being compromised or disclosed to unau- cies. thorized individuals. Effective procedures ensure a standard level of The ISF defines security awareness as the ex-
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information tent to which staff understand the importance of Moving Beyond HIPAA information security, the level of security required Once you take care of the above fundamental by the organization and their individual security steps, go full-steam into HIPAA compliance. It responsibilities. is also important to do these steps before using a solution. But once that is done, Lumension’s One of the major problems with all information suite of proactive security solutions can help in security policies revolves around management your HIPAA program to ensure that confidential not knowing whether users have read and un- medical records, specifically patient health in- derstood the policies. If users have not read the formation, remain secure. policies, they may ignorantly do things that cause security problems, for example, opening a file Endpoints, especially ones that move on and sent as an email attachment without scanning the off the network, are extremely vulnerable to file with a virus detection package. If users have data threats as their configurations drift over read the policies, but not sufficiently understood time and not kept up-to-date with the latest them, they may do things that cause security anti-virus and operating system and application problems. patches. Add to this unmanaged removable media (podslurpers) and insecure applications, The true test of understanding would be obser- which together can easily open the floodgates vation in real-world working environments, but for data to escape into the wrong hands, wheth- that is too expensive for many CE’s. As the next er intentionally or accidentally. best thing, users can be tested to determine that they understood the policy, and if they pass a The fact that so many endpoints are infested quiz, then access privileges may be granted. For with spyware, keyloggers and other types of example, a worker who wanted to telecommute malware, which so easily compromise the in- could read the telecommuting security policy, tegrity and confidentiality of patient information, take a quiz, and get a passing score, at which should give any CIO pause. point management would authorize the user to gain access to the organization’s internal network Lumension Security’s Proactive Security Suite over the Internet using a virtual private network. ensures ePHI privacy by providing the neces- In sophisticated organizations, such privileges sary controls to manage the data flowing to and may be enabled automatically based on a quiz from network endpoints and by rapidly secur- delivered through an intranet computer-based ing endpoint configurations and patching and training system or software. remediating software vulnerabilities that could leave IT assets and sensitive data exposed. Some of these solutions include: Solution Benefits Lumension Security • Complete network-based scanning solution enables assessment and Vulnerability Management analysis of threats impacting all network devices. • Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks. • Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured. • Custom remediation capabilities to address configuration issues, remove unauthorized files and applications, address zero-day threats, patch custom software and more. Lumension Security Policy-based enforcement of application use to secure your endpoints from Endpoint Protection malware, spyware and unwanted or unlicensed software. Lumension Security Policy-based enforcement of removable device use to control the flow of Data Protection inbound and outbound data from your endpoints. Lumension Security Robust data warehouse that enables easy creation and sharing of reports on Reporting and Compliance all aspects of your security efforts in support of policy compliance.
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information The following table lists just some of the many benefits in which Lumension Security’s Proactive Security Suite helps CE’s: Main Benefit Other Benefits Comply with HIPAA • Reduce the risk of ePHI from being improperly disclosed requirements for safeguarding • Prove compliance with HIPAA by providing a detailed audit trail of all the integrity and availability of device and application execution attempts, by tracking data that is copied ePHI to and from removable devices and by controlling what data is allowed to be copied to a device at the file level • Patch and remediate vulnerabilities before they can be exploited to access ePHI • Control and monitor the flow of inbound and outbound ePHI with removable media and devices • Identify organizational security holes in the protection of ePHI through comprehensive auditing capabilities Prevent malware execution • Protect against network security breaches where ePHI could be exposed originating at an endpoint to fraud • Enable the transmission, integrity, confidentiality and retention of ePHI without disruption, corruption or loss Improve IT system performance • Prevent unwanted applications and devices from burdening network bandwidth • Enable faster computing resources on network, laptops and PCs • Maintain PCs’ performance as new with configurations remaining stable Reduce endpoint security TCO • Minimize security or HIPAA compliance crisis response • Remediate vulnerabilities more quickly and with fewer required resources Improve end user productivity • Block unwanted, non-business applications • Enforce policy to ensure endpoints run as expected Conclusion Security and the protection of PHI is more than just firewalls and encryption. By having this broad ap- proach, and rising above the minimal protection that HIPAA offers, CE’s can ensure that they are HIPAA compliant not only with the letter of the law, but more importantly, the spirit of the law.
HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information About the Author Ben Rothke CISSP, PCI QSA (ben@rothke.com) is a New York based Security Consultant and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006). About Lumension Security™ Lumension Security™, formed by the combination of PatchLink® Corporation and SecureWave® S.A., is a recognized, global security management company, providing unified protection and control of enterprise endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting Compliance. Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including Virginia, Florida, Lux- embourg, the United Kingdom, Spain, Australia, Hong Kong and Singapore. Lumension Security™, Inc. 15580 N. Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260 www.lumension.com Footnotes: 1. This is due in part since it is relatively easy to correlate unrelated data. 2. Any organization that routinely handles protected health information in any capacity is in all probability a covered entity. 3. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). 4. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are re- sponsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). 5. ITIL is a customizable framework of best practices designed to promote quality computing services in the information technol- ogy sector.

Recomendados

Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTHIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTDavid Sweigert
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
Hipaa random audit
Hipaa random auditHipaa random audit
Hipaa random auditsupportc2go
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 

Recomendados

Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTHIMSS seeks HIPAA Cybersecurity Framework clarifications from NIST
HIMSS seeks HIPAA Cybersecurity Framework clarifications from NISTDavid Sweigert
 
develop security policy
develop security policydevelop security policy
develop security policyInfo-Tech Research Group
 
Hipaa random audit
Hipaa random auditHipaa random audit
Hipaa random auditsupportc2go
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Maganathin Veeraragaloo
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
Transforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence SharingTransforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence SharingEMC
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Cit security offering-overview_20111123
Cit security offering-overview_20111123Cit security offering-overview_20111123
Cit security offering-overview_20111123tommy62dm
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containersAbhishek Sood
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfarjunenterprises1978
 

Más contenido relacionado

La actualidad más candente

The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Maganathin Veeraragaloo
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
Transforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence SharingTransforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence SharingEMC
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Cit security offering-overview_20111123
Cit security offering-overview_20111123Cit security offering-overview_20111123
Cit security offering-overview_20111123tommy62dm
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 

La actualidad más candente (20)

The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilitues
 
information security management
information security managementinformation security management
information security management
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Transforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence SharingTransforming Expectations for Treat-Intelligence Sharing
Transforming Expectations for Treat-Intelligence Sharing
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Cit security offering-overview_20111123
Cit security offering-overview_20111123Cit security offering-overview_20111123
Cit security offering-overview_20111123
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_book
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
 

Similar a HIPAA and Beyond: Effectively Safeguard EPHI

Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containersAbhishek Sood
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfarjunenterprises1978
 
Cloud compliance test
Cloud compliance testCloud compliance test
Cloud compliance testPrancer Io
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...Ajeet Singh
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfSeasiaInfotech2
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Aegify Inc.
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Redspin, Inc.
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Redspin, Inc.
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare softwareConcetto Labs
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!Shelly Megan
 
HIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdfHIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdfphilipthomas428223
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurancemindleaftechnologies
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulationsNicholas Davis
 

Similar a HIPAA and Beyond: Effectively Safeguard EPHI (20)

Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
 
Cloud compliance test
Cloud compliance testCloud compliance test
Cloud compliance test
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
 
HIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdfHIPAA-Compliant Healthcare App.pdf
HIPAA-Compliant Healthcare App.pdf
 
HIPAA AND IT AUDITS.pdf
HIPAA AND IT AUDITS.pdfHIPAA AND IT AUDITS.pdf
HIPAA AND IT AUDITS.pdf
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
It industry regulations
It industry regulationsIt industry regulations
It industry regulations
 

Más de Ben Rothke

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comBen Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligattBen Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeBen Rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperBen Rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceBen Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftBen Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 

Más de Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Último

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Último (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

HIPAA and Beyond: Effectively Safeguard EPHI

  • 1. HIPAA and Beyond How to Effectively Safeguard Electronic Protected Health Information Ben Rothke, CISSP PCI QSA August 4th, 2008
  • 2. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information Introduction HIPAA Privacy Rule and Security Rule. The In the world of information security, well-defined Privacy Rule became effective in April 2003 and security programs are the forests, and regulations establishes regulations for the use and disclo- like HIPAA, SoX and PCI are the trees. And too sure of Protected Health Information (PHI). PHI many healthcare organizations mistake the forest is broadly defined as any information about the for the trees. health status, provision of health care, or pay- ment for health care that can be linked to an in- By way of analogy, one of the benefits of Social dividual. This is interpreted rather broadly and Security is SSI or Supplemental Security Income. includes any part of a patient’s medical record or The operative word is supplemental. Social Se- payment history1. curity is meant to augment your retirement, not be the main income source for your retirement. The HIPAA security rule was issued in February HIPAA is much like SSI and meant to supplement 2003 and complements the Privacy Rule. While your formal information security program. If you the Privacy Rule pertains to all PHI, including view HIPAA as the end-all of your information paper- and electronic-based, the Security Rule security and privacy program, you are in huge deals specifically with electronic PHI (EPHI) and trouble. lays out three types of security safeguards re- quired for compliance: administrative, physical This white paper will detail how to go beyond and technical. For each, the Rule identifies vari- HIPAA by showing how to use HIPAA as the ous security standards, and for each standard, it starting point for your security program, and then names both required and addressable implemen- using best practices and Lumension Security so- tation specifications. lutions to improve your overall security posture. Moving Beyond HIPAA HIPAA – Showing its Age HIPAA was created by non-security personnel, Imagine paying $1.25 for a gallon of gasoline. who likely could not differentiate between a fire- One would have to go all the way back to 1996 to wall and fire extinguisher. The outcome is that get that price. Going back to 1996 also takes us HIPAA lacks the depth and breadth on which to to the year when Congress enacted the Health build an information security program. If you build Insurance Portability and Accountability Act your security and privacy program with HIPAA (HIPAA). solely as its foundation, it will fail as HIPAA takes a myopic view of security and privacy with PHI HIPAA was created for health insurance reform being the center of its universe. But there is much and the streamlining of claims, and not about more to information security than PHI. security and privacy. Title I of HIPAA protects health insurance coverage for workers and their With that, covered entities2 (CE) must look be- families when they change or lose their jobs. Ti- yond HIPAA and focus globally if they want more tle II of HIPAA known as the Administrative Sim- than simply HIPAA compliance. plification provisions, requires the establishment of national standards for electronic health care While the intent of HIPAA was valorous, over a transactions and national identifiers for providers, decade has passed since its initial inception and health insurance plans, and employers. it has already begun to show its age. Organiza- tions that mistakenly look to HIPAA for their secu- Administration Simplification provisions also ad- rity infrastructure should stop being shortsighted dress the security and privacy of patient health and look forward. data. The HIPAA security and privacy rules are meant to improve the efficiency and effective- While HIPAA is a static regulation, CE’s exist in a ness of the nation’s health care system by en- dynamic IT world with new threats coming about couraging the widespread use of electronic data daily. When HIPAA first came out, vulnerability interchange in the US health care system. assessments, patching and configuration reme- diation were only typically performed quarterly at HIPAA Security and Privacy Rule best. Now with zero-day threats, lack of a de- Within Administration Simplification exists the fined network perimeter and focus on information
  • 3. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information protection, the need for real-time patching and Using frameworks such as ISO-17799 or ITIL proactive endpoint and data protection is a basic helps CE’s by giving them a structure with which requirement. to protect their IT assets. Also, when an organi- zation decides to formally embrace a framework, The following steps in this white paper will show it sends a strong message of its commitment to you how to get that global view and how to move information security. beyond HIPAA for any CE. Within HIPAA, using a framework can be espe- Step 1 - Using a Framework for Security cially valuable as it can show others the depth of The healthcare industry doesn’t have a lack of your security program, and your overall commit- information security products at its disposal. ment to their security and privacy. As security Data centers are stocked full of racks of firewalls, is becoming a differentiating factor, the use of VPN’s, security appliances and much more. a framework can differentiate your organization While the underlying infrastructure is there, the from insecure ones. challenges CE’s face is making these products work together, to provide adequate security, and Step 2 – Risk Assessment to support their HIPAA compliance effort. The foundation of any information security pro- gram must be a formal and comprehensive risk By employing a well-developed, organized and assessment. If you don’t know your risks, you enforced set of security policies, and by under- have no idea of your security context, no idea of standing where your exposures reside, you will who your adversaries are, and in essence, you be better prepared for issues when they occur. are shooting in the security dark. CE’s that jump Organizations that do not define and enforce se- into doing information security without a compre- curity policies proactively are in for a rough time hensive and formal risk assessment end up do- when disaster strikes. Simply put, if your security ing a lot of security stuff, but don’t have much to infrastructure isn’t built on a solid foundation, it is show for it when all is said and done. To properly bound to collapse under the weight of increased protect your network, you need to create a matrix threats and vulnerabilities. By creating a security detailing the risks your organization faces, listing foundation, CE’s can easily deal with any new the level of the threat against the likelihood of it regulation. happening. This is especially true given the compliance 80/20 Once the risk assessment is complete, don’t rule. If you take all of the security and privacy make the mistake of attempting to quickly fix all regulations and combine them, there is roughly of the problems by creating a huge to-do list and an 80% commonality between them. The 80/20 then giving it to external consultants to complete. rules shows that having a core framework in The only way to effectively manage risk on en- place to deal with the 80% commonality means terprise networks is to approach the remediation that at worst an enterprise will only have 20% of process in a formal strategic manner - create de- the new regulation to deal with. tailed project plans under the control of an effec- tive project manager. That is where information security frameworks come into the picture. An information security The beauty of a risk assessment is that it tells framework contains the assumptions, concepts, you exactly what you need to worry about. If you risk values, and security practices underlying an don’t take this approach, you end up defending organization’s information security infrastructure. against murky hackers and vague threats from Frameworks such as ISO 270013 and 270024 somewhere. A formalized risk assessment gives and ITIL5 (IT Infrastructure Library) are needed you the knowledge to know who your enemy re- because current healthcare security projects are ally is; Sun Tzu would be proud. much more complex than those of years past. Frameworks provide the formal approach to se- A risk assessment is the ultimate commitment to curity, especially since too many CE’s take an ad HIPAA, as it shows that a CE isn’t simply trying to hoc approach to security, which is an abomina- take a rubber stamp approach to HIPAA, rather tion to every security professional. they are trying to get to the core of the security and privacy issues. More importantly, it shows
  • 4. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information that a CE is focusing on the real threats, rather configuration consistency within your organiza- than on perceived external threats. tion. The benefits of Standard Operating Proce- dures (SOP) are immense and include: Step 3 – The 3 P’s • Standardize operations among divisions (Policy, Processes, Procedures) and departments CE’s need information security policies to ensure • Reduce confusion a safe and sound infrastructure. Security policies • Designate responsibility are often the first step in ensuring that corporate • Improve accountability of personnel assets are not squandered by some nefarious • Record the performance of all tasks and employees. Security policies are like fiber, that their results is, the kind you eat. Everyone agrees that fiber • Reduce costs is good for you, but no one really wants to eat it • Reduce liability - so too with information security policies. They are sorely needed, but most users don’t go out of There are many sources for SOP’s, some of their way to comply with them. And in many CE’s, which include: they are not even trained in what they have to do. • ISO 17799 But failure to have adequate information security • CoBIT policies can lead to myriad risks for a CE. • NIST 800 series • Standards for Security Categorization The centrality of information security policies of Federal Information and Information to virtually everything that happens in the infor- Systems (FIPS 199) mation security field is increasingly evident. For • ITIL example, system administrators cannot secure- ly and effectively install a firewall unless they Step 4 – Training and Awareness have received a set of clear information security Effective information security training and aware- policies. These policies will stipulate the type of ness effort can’t be initiated without first writing transmission services that should be permitted, information security policies which provide the how to authenticate the identities of users, and essential content for training and awareness ma- how to log security-relevant events. terials. Establishing clear expectations through an information security awareness program is a Similarly, an effective information security train- critical element of an effective and enforceable ing and awareness effort cannot be initiated with- set of policies. out first writing information security policies, be- cause policies provide the essential content upon Awareness is specifically required in HIPAA sec- which training and awareness material rely. It is tion § 164.308 Administrative safeguards, which for these reasons that every major regulation or states in section (5)(i) Standard: Security aware- standard relating to information security and/or ness and training. Implement a security aware- data privacy specifically requires written security ness and training program for all members of its policy documents. workforce (including management). A comprehensive set of security policies are re- So important is awareness that The Standard of quired to map abstract security concepts to the Good Practice for Information Security from the real world implementation of your security solu- Information Security Forum (ISF) writes that spe- tions as policy defines the aims and goals of the cific activities should be undertaken, such as a CE. security awareness program, to promote security awareness to all individuals who have access to Security processes can help a CE optimize their the information and systems of the organization, IT security infrastructure. The more complex an with the objective to ensure all relevant individu- organization’s IT security infrastructure becomes, als apply security controls and prevent important the more important it is to follow consistent and information used throughout the organization formal security operational processes and poli- from being compromised or disclosed to unau- cies. thorized individuals. Effective procedures ensure a standard level of The ISF defines security awareness as the ex-
  • 5. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information tent to which staff understand the importance of Moving Beyond HIPAA information security, the level of security required Once you take care of the above fundamental by the organization and their individual security steps, go full-steam into HIPAA compliance. It responsibilities. is also important to do these steps before using a solution. But once that is done, Lumension’s One of the major problems with all information suite of proactive security solutions can help in security policies revolves around management your HIPAA program to ensure that confidential not knowing whether users have read and un- medical records, specifically patient health in- derstood the policies. If users have not read the formation, remain secure. policies, they may ignorantly do things that cause security problems, for example, opening a file Endpoints, especially ones that move on and sent as an email attachment without scanning the off the network, are extremely vulnerable to file with a virus detection package. If users have data threats as their configurations drift over read the policies, but not sufficiently understood time and not kept up-to-date with the latest them, they may do things that cause security anti-virus and operating system and application problems. patches. Add to this unmanaged removable media (podslurpers) and insecure applications, The true test of understanding would be obser- which together can easily open the floodgates vation in real-world working environments, but for data to escape into the wrong hands, wheth- that is too expensive for many CE’s. As the next er intentionally or accidentally. best thing, users can be tested to determine that they understood the policy, and if they pass a The fact that so many endpoints are infested quiz, then access privileges may be granted. For with spyware, keyloggers and other types of example, a worker who wanted to telecommute malware, which so easily compromise the in- could read the telecommuting security policy, tegrity and confidentiality of patient information, take a quiz, and get a passing score, at which should give any CIO pause. point management would authorize the user to gain access to the organization’s internal network Lumension Security’s Proactive Security Suite over the Internet using a virtual private network. ensures ePHI privacy by providing the neces- In sophisticated organizations, such privileges sary controls to manage the data flowing to and may be enabled automatically based on a quiz from network endpoints and by rapidly secur- delivered through an intranet computer-based ing endpoint configurations and patching and training system or software. remediating software vulnerabilities that could leave IT assets and sensitive data exposed. Some of these solutions include: Solution Benefits Lumension Security • Complete network-based scanning solution enables assessment and Vulnerability Management analysis of threats impacting all network devices. • Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks. • Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured. • Custom remediation capabilities to address configuration issues, remove unauthorized files and applications, address zero-day threats, patch custom software and more. Lumension Security Policy-based enforcement of application use to secure your endpoints from Endpoint Protection malware, spyware and unwanted or unlicensed software. Lumension Security Policy-based enforcement of removable device use to control the flow of Data Protection inbound and outbound data from your endpoints. Lumension Security Robust data warehouse that enables easy creation and sharing of reports on Reporting and Compliance all aspects of your security efforts in support of policy compliance.
  • 6. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information The following table lists just some of the many benefits in which Lumension Security’s Proactive Security Suite helps CE’s: Main Benefit Other Benefits Comply with HIPAA • Reduce the risk of ePHI from being improperly disclosed requirements for safeguarding • Prove compliance with HIPAA by providing a detailed audit trail of all the integrity and availability of device and application execution attempts, by tracking data that is copied ePHI to and from removable devices and by controlling what data is allowed to be copied to a device at the file level • Patch and remediate vulnerabilities before they can be exploited to access ePHI • Control and monitor the flow of inbound and outbound ePHI with removable media and devices • Identify organizational security holes in the protection of ePHI through comprehensive auditing capabilities Prevent malware execution • Protect against network security breaches where ePHI could be exposed originating at an endpoint to fraud • Enable the transmission, integrity, confidentiality and retention of ePHI without disruption, corruption or loss Improve IT system performance • Prevent unwanted applications and devices from burdening network bandwidth • Enable faster computing resources on network, laptops and PCs • Maintain PCs’ performance as new with configurations remaining stable Reduce endpoint security TCO • Minimize security or HIPAA compliance crisis response • Remediate vulnerabilities more quickly and with fewer required resources Improve end user productivity • Block unwanted, non-business applications • Enforce policy to ensure endpoints run as expected Conclusion Security and the protection of PHI is more than just firewalls and encryption. By having this broad ap- proach, and rising above the minimal protection that HIPAA offers, CE’s can ensure that they are HIPAA compliant not only with the letter of the law, but more importantly, the spirit of the law.
  • 7. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information About the Author Ben Rothke CISSP, PCI QSA (ben@rothke.com) is a New York based Security Consultant and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006). About Lumension Security™ Lumension Security™, formed by the combination of PatchLink® Corporation and SecureWave® S.A., is a recognized, global security management company, providing unified protection and control of enterprise endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting Compliance. Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including Virginia, Florida, Lux- embourg, the United Kingdom, Spain, Australia, Hong Kong and Singapore. Lumension Security™, Inc. 15580 N. Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260 www.lumension.com Footnotes: 1. This is due in part since it is relatively easy to correlate unrelated data. 2. Any organization that routinely handles protected health information in any capacity is in all probability a covered entity. 3. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). 4. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are re- sponsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). 5. ITIL is a customizable framework of best practices designed to promote quality computing services in the information technol- ogy sector.